chore(deps): update github/codeql-action action to v3.27.5 #471
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Super DevSecOps Pipeline | |
on: | |
push: | |
branches: ["main"] | |
pull_request: | |
branches: ["main"] | |
permissions: | |
contents: read | |
jobs: | |
code_quality: | |
name: Eslint | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Run ESLint | |
run: | | |
yarn install | |
npx eslint . | |
continue-on-error: true | |
build: | |
name: Build | |
runs-on: ubuntu-latest | |
needs: code_quality | |
strategy: | |
matrix: | |
node-version: [16.x, 18.x, 20.x] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout Repository to Runner Context | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Use Node version ${{ matrix.node-version }} | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version: ${{ matrix.node-version }} | |
cache: "yarn" | |
- name: Install Dependencies | |
run: | | |
yarn install | |
test: | |
name: Unit Tests | |
runs-on: ubuntu-latest | |
needs: build | |
strategy: | |
matrix: | |
node-version: [16.x, 18.x, 20.x] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout Repository to Runner Context | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Use Node version ${{ matrix.node-version }} | |
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
with: | |
node-version: ${{ matrix.node-version }} | |
cache: "yarn" | |
- name: Test with Jest | |
run: | | |
yarn install | |
yarn test | |
sast_codeql: | |
name: SAST with CodeQL | |
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | |
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} | |
needs: test | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
strategy: | |
fail-fast: false | |
matrix: | |
language: ["javascript-typescript"] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 | |
with: | |
languages: ${{ matrix.language }} | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 | |
with: | |
category: "/language:${{matrix.language}}" | |
sast_sonar: | |
name: SAST with SonarCloud | |
permissions: | |
pull-requests: read # allows SonarCloud to decorate PRs with analysis results | |
runs-on: ubuntu-latest | |
needs: test | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Analyze with SonarCloud | |
uses: SonarSource/sonarcloud-github-action@44eed6088a971ec48af9300c3701483b8815f622 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
with: | |
args: -Dsonar.projectKey=stormsinbrewing_savvy-devsecops | |
-Dsonar.organization=stormsinbrewing | |
security_scorecard: | |
name: OpenSSF Security Scorecards | |
runs-on: ubuntu-latest | |
permissions: | |
# Don't make global permission: https://github.com/ossf/scorecard-action#workflow-restrictions | |
security-events: write # Needed to upload the results to code-scanning dashboard. | |
id-token: write # Needed to publish results and get a badge (see publish_results below). | |
needs: test | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: "Checkout code" | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
persist-credentials: false | |
- name: "Run analysis" | |
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 | |
with: | |
results_file: results.sarif | |
results_format: sarif | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
publish_results: true | |
- name: "Upload artifact" | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
with: | |
name: SARIF file | |
path: results.sarif | |
retention-days: 5 | |
- name: "Upload to code-scanning" | |
uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 | |
with: | |
sarif_file: results.sarif | |
build-and-push-image: | |
name: BnP GHCR | |
permissions: | |
contents: write | |
packages: write | |
runs-on: ubuntu-latest | |
needs: sast_codeql | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | |
with: | |
egress-policy: audit | |
- name: Checkout repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Log in to the Container registry | |
uses: docker/login-action@83a00bc1ab5ded6580f31df1c49e6aaa932d840d | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: BnP Docker Image | |
run: | | |
docker build -t ghcr.io/stormsinbrewing/savvy-devsecops . | |
docker push ghcr.io/stormsinbrewing/savvy-devsecops |